Locate email accounts being used to spam

In this article I'll review how you can investigate your VPS (Virtual Private Server) or dedicated server for possible sources of outgoing spam. This can help ensure that your mailing IP's reputation isn't being negatively affected causing delivery problems for your legitimate users.

If you've read my previous article on 535 incorrect authentication errors you should already know how to track down IP addresses of malicious users attempting to login to your email accounts so that they can relay spam with them. However if someone has successfully obtained one of the passwords for your email accounts, that method won't work for locating them, as they won't be showing authentication errors since they're logging in without issues.

A good way to keep tabs on this type of malicious activity is by knowing that typically one email account isn't going to have too many IP addresses connecting to it. Now that's not to say you might not have a few for each account, as people will connect from their home, office, and possibly mobile phone to send email. But if you notice that IP addresses are connecting from multiple geographical locations this is a good indication that your email account's password has been compromised and possibly sold to a spammer that is now using multiple computers as part of a bot net spread across the world.

In order to follow the steps I'll discuss in this article, you'll need to have root access to either your VPS or dedicated server so that you have access to the Exim mail logs.

Locating multiple IP address logins for mail accounts

Using the steps that follow I'll show how you can keep tabs on how many IP addresses are connecting to your mail server per email address. Then you can take a look to see if they seem malicious and block them at your server's firewall to prevent further delivery attempts.

Use the sed -e command to first strip out the H=example.com (UserComputer) [ section from the log, then follow with another -e flag to also take off the ]:1234 section surrounding the user's IP address.

awk '{print $5,$6}'

Use the awk command to only print the $5th and $6th columns, which is the email address and IP address.

sort | uniq | awk '{print $1}' | uniq -c

Sort all the data by the email addresses, then only show unique entries so you should get user@example.com 123.123.123.123 and user@example.com 124.124.124.124 for instance. Use awk to only print the $1st column which is the email address, then uniquely count them.

awk '{ if ($1 > 1) print $0}'

Use the awk command with an if statement so that if the $1st column has a count higher than 1 it prints out the total line. This should show how many unique IP addresses a given email address has been accessed over.

Use the sed -e command to first strip out the H=example.com (UserComputer) [ section from the log, then follow with another -e flag to also take off the ]:1234 section surrounding the user's IP address.

awk '{print $5,$6}'

Use the awk command to only print the $5th and $6th columns, which is the email address and IP address.

sort | uniq -c

Sort all the data by the email addresses and then provide a unique count of each IP that connected to that account.

In this case the user01@example.com account had been connected to from 4 different unique IP addresses, so this command will output how many times each of those IPs connected:

Updating email passwords and blocking IPs

Now that you know there are several unique IP addresses connecting to one email account of yours, you can check the location of those IP addresses with an online service such as GeoIPTool.com. If you know the person owning the email account lives in the US and you're seeing IPs sending out mail from that account from China and Russia, chances are the account has been compromised and is being used to send out spam.

Using the steps below you can block those bad IP addresses from being able to attempt to access your server again, and you can also update the email account's password so that if they attempt to relay more spam through the account they'll get an authentication error.

In our example above we had the following IP addressess all relaying through our one user01@example.comaccount:

123.123.123.123 123.123.123.124 123.123.123.125 123.123.123.126

If we wanted to block all of these at our server's firewall after determining they are malicious IPs we can run the following command:

Because these IPs successfully logged into your mail server to relay mail with the user01@example.com account, you'll also want to be sure to follow our guide on how to change your email password in cPanel to prevent them from attempting further messages from a different IP address.

You should now understand how to track down email accounts on your server that are being connected to from multiple IP addresses. This should help ensure that your email accounts are not compromised and possibly sending out spam or other malicious material. You should also know how to block those IP addresses from accessing your server, and update your email account's password to prevent further access to these malicious users.